Selective Capping of Packet Payloads for Network Analysis and Management

  • Víctor Uceda
  • Miguel Rodríguez
  • Javier Ramos
  • José Luis García-Dorado
  • Javier Aracil
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9053)

Abstract

Both network managers and analysts appreciate the importance of network traces as a mechanism to understand traffic behavior, detect anomalies and evaluate performance in a forensic manner, among other applications. Unfortunately, the process of network capture and storage has become a challenge given the ever-increasing network speeds. In this scenario, we intend to make packets thinner to reduce both write speed and storage requirements on hard-drives and further reduce computational burden of packet analysis. To this end, we propose to remove the payload on those packets that hardly could be interpreted afterwards. Essentially, binary packets from unknown protocols fall into this category. On the other hand, binary packets from well-known protocols and protocols with some ASCII data are fully captured as potentially a network analyst may desire to inspect them. We have named this approach as selective capping, which has been implemented and integrated in a high-speed network driver as an attempt to make its operation faster and more transparent to upper layers. Its results are promising as it achieves multi-Gb/s rates in different scenarios, which could be further improved exploiting novel low-level hardware-software tunings to meet the fastest networks’ rates.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Forconesi, M., Sutter, G., López-Buedo, S., López de Vergara, J.E., Aracil, J.: Bridging the gap between hardware and software open-source network developments. IEEE Network 28(5), 13–19 (2014)Google Scholar
  2. 2.
    Fusco, F., Vlachos, M., Dimitropoulos, X.: Rasterzip: compressing streaming network monitoring data with support for partial decompression. In: ACM Internet Measurement Conference, pp. 51–64 (2012)Google Scholar
  3. 3.
    García-Dorado, J.L., Mata, F., Ramos, J., Santiago del Río, P.M., Moreno, V., Aracil, J.: High-Performance network traffic processing systems using commodity hardware. In: Biersack, E., Callegari, C., Matijasevic, M. (eds.) Data Traffic Monitoring and Analysis. LNCS, vol. 7754, pp. 3–27. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  4. 4.
    Han, S., Jang, K., Park, K.S., Moon, S.: PacketShader: a GPU-accelerated software router. In: ACM SIGCOMM, pp. 195–206 (2010)Google Scholar
  5. 5.
    Intel: 82599 10 Gbe controller datasheet (2012). http://www.intel.com/content/www/us/en/ethernet-controllers/82599-10-gb e-controller-datasheet.html (December 1, 2014)
  6. 6.
    Lin, Y.D., Lin, P.C., Cheng, T.H., Chen, I.W., Lai, Y.C.: Low-storage capture and loss recovery selective replay of real flows. IEEE Communications Magazine 50(4), 114–121 (2012)CrossRefGoogle Scholar
  7. 7.
    Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., Schneider, F.: Enriching network security analysis with time travel. In: ACM SIGCOMM, pp. 183–194 (2008)Google Scholar
  8. 8.
    Moreno, V., Santiago del Río, P.M., Ramos, J., García-Dorado, J.L., Gonzalez, I., Gómez-Arribas, F.J., Aracil, J.: Packet storage at multi-gigabit rates using off-the-shelf systems. In: IEEE Conference on High Performance and Communications, pp. 486–489 (2014)Google Scholar
  9. 9.
    Moreno, V., Santiago del Río, P.M., Ramos, J., Muelas, D., García-Dorado, J.L., Gómez-Arribas, F.J., Aracil, J.: Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systems. International Journal of Network Management 24(4), 221–234 (2014)Google Scholar
  10. 10.
    naudit: Detect-pro (2013). http://www.naudit.es/ (December 1, 2014)
  11. 11.
    Papadogiannakis, A., Polychronakis, M., Markatos, E.P.: Scap: Stream-oriented network traffic capture and analysis for high-speed networks. In: ACM Internet Measurement Conference, pp. 113–124 (2012)Google Scholar
  12. 12.
    Schneider, F., Ager, B., Maier, G., Feldmann, A., Uhlig, S.: Pitfalls in HTTP traffic measurements and analysis. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 242–251. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  13. 13.
    Taylor, T., Coull, S.E., Monrose, F., McHugh, J.: Toward efficient querying of compressed network payloads. In: USENIX Annual Technical Conference, pp. 113–124 (2012)Google Scholar
  14. 14.
    Walsworth, C., Aben, E., Claffy, K., Andersen, D.: The CAIDA anonymized 2009 Internet traces. http://www.caida.org/data/passive/passive_2009_dataset.xml (December 1, 2014)

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Víctor Uceda
    • 1
  • Miguel Rodríguez
    • 1
  • Javier Ramos
    • 1
  • José Luis García-Dorado
    • 1
  • Javier Aracil
    • 1
  1. 1.High Performance Computing and NetworkingUniversidad Autónoma de MadridMadridSpain

Personalised recommendations